mirror of
https://github.com/lingble/chatwoot.git
synced 2025-10-29 18:22:53 +00:00
50e7ceb19b
Bumps [rails-html-sanitizer](https://github.com/rails/rails-html-sanitizer) from 1.6.0 to 1.6.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rails/rails-html-sanitizer/releases">rails-html-sanitizer's releases</a>.</em></p> <blockquote> <h2>1.6.1 / 2024-12-02</h2> <p>This is a performance and security release which addresses several possible XSS vulnerabilities.</p> <ul> <li> <p>The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.</p> <p>This change addresses CVE-2024-53985 (<a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x">https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x</a>).</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content), regardless of the <code>prune:</code> option value. Previously, disallowed tags were "stripped" unless the gem was configured with the <code>prune: true</code> option.</p> <p>The CVEs addressed by this change are:</p> <ul> <li>CVE-2024-53986 (<a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48">https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48</a>)</li> <li>CVE-2024-53987 (<a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-2x5m-9ch4-qgrr">https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-2x5m-9ch4-qgrr</a>)</li> </ul> <p><em>Mike Dalessio</em></p> </li> <li> <p>The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags are removed from the allow-list.</p> <p>The CVEs addressed by this change are:</p> <ul> <li>CVE-2024-53988 (<a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5">https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5</a>)</li> <li>CVE-2024-53989 (<a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rxv5-gxqc-xx8g">https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rxv5-gxqc-xx8g</a>)</li> </ul> <p>Please note that we <em>may</em> restore support for allowing "noscript" in a future release. We do not expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal for these tags.</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Improve performance by eliminating needless operations on attributes that are being removed. <a href="https://redirect.github.com/rails/rails-html-sanitizer/issues/188">#188</a></p> <p><em>Mike Dalessio</em></p> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rails/rails-html-sanitizer/blob/main/CHANGELOG.md">rails-html-sanitizer's changelog</a>.</em></p> <blockquote> <h2>1.6.1 / 2024-12-02</h2> <p>This is a performance and security release which addresses several possible XSS vulnerabilities.</p> <ul> <li> <p>The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.</p> <p>This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content), regardless of the <code>prune:</code> option value. Previously, disallowed tags were "stripped" unless the gem was configured with the <code>prune: true</code> option.</p> <p>The CVEs addressed by this change are:</p> <ul> <li>CVE-2024-53986 (GHSA-638j-pmjw-jq48)</li> <li>CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)</li> </ul> <p><em>Mike Dalessio</em></p> </li> <li> <p>The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags are removed from the allow-list.</p> <p>The CVEs addressed by this change are:</p> <ul> <li>CVE-2024-53988 (GHSA-cfjx-w229-hgx5)</li> <li>CVE-2024-53989 (GHSA-rxv5-gxqc-xx8g)</li> </ul> <p>Please note that we <em>may</em> restore support for allowing "noscript" in a future release. We do not expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal for these tags.</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Improve performance by eliminating needless operations on attributes that are being removed. <a href="https://redirect.github.com/rails/rails-html-sanitizer/issues/188">#188</a></p> <p><em>Mike Dalessio</em></p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="5e96b19bbb"><code>5e96b19</code></a> version bump to v1.6.1</li> <li><a href="383cc7c17f"><code>383cc7c</code></a> doc: update CHANGELOG with assigned CVEs</li> <li><a href="a7b0cfe103"><code>a7b0cfe</code></a> Combine the noscript/mglyph prevention blocks</li> <li><a href="5658335ede"><code>5658335</code></a> Merge branch 'h1-2509647-noscript' into flavorjones-2024-security-fixes</li> <li><a href="65fb72f07e"><code>65fb72f</code></a> Merge branch 'h1-2519936-mglyph-foster-parenting' into flavorjones-2024-secur...</li> <li><a href="3fe22a8b89"><code>3fe22a8</code></a> Merge branch 'h1-2519936-foreign-ns-confusion' into flavorjones-2024-security...</li> <li><a href="d7a94c1252"><code>d7a94c1</code></a> Merge branch 'h1-2503220-nokogiri-serialization' into flavorjones-2024-securi...</li> <li><a href="3fd6e650f9"><code>3fd6e65</code></a> doc: update CHANGELOG</li> <li><a href="16251735e3"><code>1625173</code></a> fix: disallow 'noscript' from safe lists</li> <li><a href="a0a3e8b76b"><code>a0a3e8b</code></a> fix: disallow 'mglyph' and 'malignmark' from safe lists</li> <li>Additional commits viewable in <a href="https://github.com/rails/rails-html-sanitizer/compare/v1.6.0...v1.6.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/chatwoot/chatwoot/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Pranav <pranav@chatwoot.com>
🚨 Note: This branch is unstable. For the stable branch's source code, please use the branch 3.x
Chatwoot
Customer engagement suite, an open-source alternative to Intercom, Zendesk, Salesforce Service Cloud etc.
Chatwoot is an open-source, self-hosted customer engagement suite. Chatwoot lets you view and manage your customer data, communicate with them irrespective of which medium they use, and re-engage them based on their profile.
Features
Chatwoot supports the following conversation channels:
- Website: Talk to your customers using our live chat widget and make use of our SDK to identify a user and provide contextual support.
- Facebook: Connect your Facebook pages and start replying to the direct messages to your page.
- Instagram: Connect your Instagram profile and start replying to the direct messages.
- Twitter: Connect your Twitter profiles and reply to direct messages or the tweets where you are mentioned.
- Telegram: Connect your Telegram bot and reply to your customers right from a single dashboard.
- WhatsApp: Connect your WhatsApp business account and manage the conversation in Chatwoot.
- Line: Connect your Line account and manage the conversations in Chatwoot.
- SMS: Connect your Twilio SMS account and reply to the SMS queries in Chatwoot.
- API Channel: Build custom communication channels using our API channel.
- Email: Forward all your email queries to Chatwoot and view it in our integrated dashboard.
And more.
Other features include:
- CRM: Save all your customer information right inside Chatwoot, use contact notes to log emails, phone calls, or meeting notes.
- Custom Attributes: Define custom attribute attributes to store information about a contact or a conversation and extend the product to match your workflow.
- Shared multi-brand inboxes: Manage multiple brands or pages using a shared inbox.
- Private notes: Use @mentions and private notes to communicate internally about a conversation.
- Canned responses (Saved replies): Improve the response rate by adding saved replies for frequently asked questions.
- Conversation Labels: Use conversation labels to create custom workflows.
- Auto assignment: Chatwoot intelligently assigns a ticket to the agents who have access to the inbox depending on their availability and load.
- Conversation continuity: If the user has provided an email address through the chat widget, Chatwoot will send an email to the customer under the agent name so that the user can continue the conversation over the email.
- Multi-lingual support: Chatwoot supports 10+ languages.
- Powerful API & Webhooks: Extend the capability of the software using Chatwoot’s webhooks and APIs.
- Integrations: Chatwoot natively integrates with Slack right now. Manage your conversations in Slack without logging into the dashboard.
Documentation
Detailed documentation is available at chatwoot.com/help-center.
Translation process
The translation process for Chatwoot web and mobile app is managed at https://translate.chatwoot.com using Crowdin. Please read the translation guide for contributing to Chatwoot.
Branching model
We use the git-flow branching model. The base branch is develop.
If you are looking for a stable version, please use the master or tags labelled as v1.x.x.
Deployment
Heroku one-click deploy
Deploying Chatwoot to Heroku is a breeze. It's as simple as clicking this button:
Follow this link to understand setting the correct environment variables for the app to work with all the features. There might be breakages if you do not set the relevant environment variables.
DigitalOcean 1-Click Kubernetes deployment
Chatwoot now supports 1-Click deployment to DigitalOcean as a kubernetes app.
Other deployment options
For other supported options, checkout our deployment page.
Security
Looking to report a vulnerability? Please refer our SECURITY.md file.
Community? Questions? Support ?
If you need help or just want to hang out, come, say hi on our Discord server.
Contributors ✨
Thanks goes to all these wonderful people:
Chatwoot © 2017-2024, Chatwoot Inc - Released under the MIT License.